Source: cve@mitre.org
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Rack, a Ruby web server interface, is vulnerable to a denial-of-service (DoS) attack due to a flaw in how it handles form parameters. Attackers can exploit this vulnerability by sending a large number of specially crafted parameters, leading to excessive CPU consumption and making the server unresponsive. This impacts the availability of web applications using vulnerable versions of Rack.
Step 1: Payload Creation: The attacker crafts a large number of HTTP POST parameters. These parameters are designed to generate hash collisions within Rack's parameter parsing logic. This involves carefully selecting parameter names that, when hashed using the vulnerable hash function, produce the same hash value.
Step 2: Request Submission: The attacker sends an HTTP POST request to a vulnerable Rack application. The request body contains the crafted parameters.
Step 3: Parameter Parsing: The Rack application receives the request and begins parsing the parameters. The vulnerable hash function is used to generate hash keys for each parameter.
Step 4: Hash Collision Trigger: Due to the crafted parameters, multiple parameters hash to the same value, resulting in hash collisions. The server must then store these parameters in a data structure that handles collisions (e.g., a linked list).
Step 5: CPU Exhaustion: When the application attempts to access or process these parameters, it must iterate through the colliding parameters. Because of the large number of collisions, this iteration consumes a significant amount of CPU time, leading to a denial-of-service condition.
The vulnerability stems from Rack's use of a hash function (likely a default Ruby hash function at the time) to store and retrieve form parameters. The hash function's implementation allows for the creation of hash collisions, where different inputs map to the same hash value. By sending a large number of parameters designed to collide, an attacker can force the server to spend an excessive amount of time resolving these collisions, leading to high CPU usage. The root cause is the lack of protection against hash collision attacks within the parameter parsing logic. Specifically, the attacker can craft parameters that, when hashed, result in the same hash value, forcing the server to perform a linear search through a growing list of colliding parameters, resulting in a CPU exhaustion condition.
While no specific APTs are directly linked to this CVE, the ease of exploitation makes it attractive to a wide range of attackers, including script kiddies and opportunistic attackers. This vulnerability is a classic example of a DoS attack vector. CISA KEV status: Not listed.
High CPU utilization on the server, particularly during periods of high traffic.
Unusually slow response times from the web application.
Network traffic analysis revealing a large number of POST requests with a high volume of parameters.
Web server logs showing a large number of parameter entries in POST requests.
Intrusion Detection System (IDS) alerts triggered by suspicious POST request patterns (e.g., many parameters with similar names or crafted to collide).
Upgrade Rack to a patched version (1.1.3, 1.2.5, or 1.3.6 or later).
Implement a web application firewall (WAF) to filter malicious requests. Configure the WAF to limit the number of parameters allowed in a request or to block requests with suspicious parameter patterns.
Rate-limit requests to prevent a single client from overwhelming the server.
Monitor server resource usage (CPU, memory, network) and set up alerts for unusual spikes.
Consider using a more robust hash function or a different data structure for storing parameters if possible, although this is less critical if the Rack version is updated.
Regularly update all dependencies and software components to the latest versions.